gopkg.in/docker/docker.v20@v20.10.27/Dockerfile (about) 1 # syntax=docker/dockerfile:1 2 3 ARG CROSS="false" 4 ARG SYSTEMD="false" 5 ARG GO_VERSION=1.20.10 6 ARG DEBIAN_FRONTEND=noninteractive 7 ARG VPNKIT_VERSION=0.5.0 8 ARG DOCKER_BUILDTAGS="apparmor seccomp" 9 10 ARG BASE_DEBIAN_DISTRO="bullseye" 11 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" 12 13 FROM ${GOLANG_IMAGE} AS base 14 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache 15 ARG APT_MIRROR 16 RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ 17 && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list 18 ENV GO111MODULE=off 19 20 FROM base AS criu 21 ARG DEBIAN_FRONTEND 22 # Install dependency packages specific to criu 23 RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \ 24 --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \ 25 apt-get update && apt-get install -y --no-install-recommends \ 26 libcap-dev \ 27 libnet-dev \ 28 libnl-3-dev \ 29 libprotobuf-c-dev \ 30 libprotobuf-dev \ 31 protobuf-c-compiler \ 32 protobuf-compiler \ 33 python3-protobuf 34 35 # Install CRIU for checkpoint/restore support 36 ARG CRIU_VERSION=3.14 37 RUN mkdir -p /usr/src/criu \ 38 && curl -sSL https://github.com/checkpoint-restore/criu/archive/v${CRIU_VERSION}.tar.gz | tar -C /usr/src/criu/ -xz --strip-components=1 \ 39 && cd /usr/src/criu \ 40 && make \ 41 && make PREFIX=/build/ install-criu 42 43 FROM base AS registry 44 WORKDIR /go/src/github.com/docker/distribution 45 # Install two versions of the registry. The first one is a recent version that 46 # supports both schema 1 and 2 manifests. The second one is an older version that 47 # only supports schema1 manifests. This allows integration-cli tests to cover 48 # push/pull with both schema1 and schema2 manifests. 49 # The old version of the registry is not working on arm64, so installation is 50 # skipped on that architecture. 51 ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd 52 ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827 53 RUN --mount=type=cache,target=/root/.cache/go-build \ 54 --mount=type=cache,target=/go/pkg/mod \ 55 --mount=type=tmpfs,target=/go/src/ \ 56 set -x \ 57 && git clone https://github.com/docker/distribution.git . \ 58 && git checkout -q "$REGISTRY_COMMIT" \ 59 && GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ 60 go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \ 61 && case $(dpkg --print-architecture) in \ 62 amd64|armhf|ppc64*|s390x) \ 63 git checkout -q "$REGISTRY_COMMIT_SCHEMA1"; \ 64 GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \ 65 go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \ 66 ;; \ 67 esac 68 69 FROM base AS swagger 70 WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger 71 # Install go-swagger for validating swagger.yaml 72 # This is https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix 73 # TODO: move to under moby/ or fix upstream go-swagger to work for us. 74 ENV GO_SWAGGER_COMMIT c56166c036004ba7a3a321e5951ba472b9ae298c 75 RUN --mount=type=cache,target=/root/.cache/go-build \ 76 --mount=type=cache,target=/go/pkg/mod \ 77 --mount=type=tmpfs,target=/go/src/ \ 78 set -x \ 79 && git clone https://github.com/kolyshkin/go-swagger.git . \ 80 && git checkout -q "$GO_SWAGGER_COMMIT" \ 81 && go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger 82 83 FROM debian:${BASE_DEBIAN_DISTRO} AS frozen-images 84 ARG DEBIAN_FRONTEND 85 RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \ 86 --mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \ 87 apt-get update && apt-get install -y --no-install-recommends \ 88 ca-certificates \ 89 curl \ 90 jq 91 # Get useful and necessary Hub images so we can "docker load" locally instead of pulling 92 COPY contrib/download-frozen-image-v2.sh / 93 ARG TARGETARCH 94 RUN /download-frozen-image-v2.sh /build \ 95 busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ 96 busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ 97 debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \ 98 hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ 99 arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 100 # See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) 101 102 FROM base AS cross-false 103 104 FROM --platform=linux/amd64 base AS cross-true 105 ARG DEBIAN_FRONTEND 106 RUN dpkg --add-architecture arm64 107 RUN dpkg --add-architecture armel 108 RUN dpkg --add-architecture armhf 109 RUN dpkg --add-architecture ppc64el 110 RUN dpkg --add-architecture s390x 111 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 112 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 113 apt-get update && apt-get install -y --no-install-recommends \ 114 crossbuild-essential-arm64 \ 115 crossbuild-essential-armel \ 116 crossbuild-essential-armhf \ 117 crossbuild-essential-ppc64el \ 118 crossbuild-essential-s390x 119 120 FROM cross-${CROSS} as dev-base 121 122 FROM dev-base AS runtime-dev-cross-false 123 ARG DEBIAN_FRONTEND 124 RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \ 125 --mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \ 126 apt-get update && apt-get install -y --no-install-recommends \ 127 binutils-mingw-w64 \ 128 g++-mingw-w64-x86-64 \ 129 libapparmor-dev \ 130 libbtrfs-dev \ 131 libdevmapper-dev \ 132 libseccomp-dev \ 133 libsystemd-dev \ 134 libudev-dev 135 136 FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true 137 ARG DEBIAN_FRONTEND 138 # These crossbuild packages rely on gcc-<arch>, but this doesn't want to install 139 # on non-amd64 systems, so other architectures cannot crossbuild amd64. 140 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 141 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 142 apt-get update && apt-get install -y --no-install-recommends \ 143 libapparmor-dev:arm64 \ 144 libapparmor-dev:armel \ 145 libapparmor-dev:armhf \ 146 libapparmor-dev:ppc64el \ 147 libapparmor-dev:s390x \ 148 libseccomp-dev:arm64 \ 149 libseccomp-dev:armel \ 150 libseccomp-dev:armhf \ 151 libseccomp-dev:ppc64el \ 152 libseccomp-dev:s390x 153 154 FROM runtime-dev-cross-${CROSS} AS runtime-dev 155 156 FROM base AS tomlv 157 ARG TOMLV_COMMIT 158 RUN --mount=type=cache,target=/root/.cache/go-build \ 159 --mount=type=cache,target=/go/pkg/mod \ 160 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 161 PREFIX=/build /tmp/install/install.sh tomlv 162 163 FROM base AS vndr 164 ARG VNDR_VERSION 165 RUN --mount=type=cache,target=/root/.cache/go-build \ 166 --mount=type=cache,target=/go/pkg/mod \ 167 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 168 PREFIX=/build /tmp/install/install.sh vndr 169 170 FROM dev-base AS containerd 171 ARG DEBIAN_FRONTEND 172 RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \ 173 --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \ 174 apt-get update && apt-get install -y --no-install-recommends \ 175 libbtrfs-dev 176 ARG CONTAINERD_VERSION 177 RUN --mount=type=cache,target=/root/.cache/go-build \ 178 --mount=type=cache,target=/go/pkg/mod \ 179 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 180 PREFIX=/build /tmp/install/install.sh containerd 181 182 FROM dev-base AS proxy 183 ARG LIBNETWORK_COMMIT 184 RUN --mount=type=cache,target=/root/.cache/go-build \ 185 --mount=type=cache,target=/go/pkg/mod \ 186 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 187 PREFIX=/build /tmp/install/install.sh proxy 188 189 FROM base AS golangci_lint 190 ARG GOLANGCI_LINT_VERSION 191 RUN --mount=type=cache,target=/root/.cache/go-build \ 192 --mount=type=cache,target=/go/pkg/mod \ 193 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 194 PREFIX=/build /tmp/install/install.sh golangci_lint 195 196 FROM base AS gotestsum 197 ARG GOTESTSUM_VERSION 198 RUN --mount=type=cache,target=/root/.cache/go-build \ 199 --mount=type=cache,target=/go/pkg/mod \ 200 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 201 PREFIX=/build /tmp/install/install.sh gotestsum 202 203 FROM base AS shfmt 204 ARG SHFMT_VERSION 205 RUN --mount=type=cache,target=/root/.cache/go-build \ 206 --mount=type=cache,target=/go/pkg/mod \ 207 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 208 PREFIX=/build /tmp/install/install.sh shfmt 209 210 FROM dev-base AS dockercli 211 ARG DOCKERCLI_CHANNEL 212 ARG DOCKERCLI_VERSION 213 RUN --mount=type=cache,target=/root/.cache/go-build \ 214 --mount=type=cache,target=/go/pkg/mod \ 215 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 216 PREFIX=/build /tmp/install/install.sh dockercli 217 218 FROM runtime-dev AS runc 219 ARG RUNC_VERSION 220 ARG RUNC_BUILDTAGS 221 RUN --mount=type=cache,target=/root/.cache/go-build \ 222 --mount=type=cache,target=/go/pkg/mod \ 223 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 224 PREFIX=/build /tmp/install/install.sh runc 225 226 FROM dev-base AS tini 227 ARG DEBIAN_FRONTEND 228 ARG TINI_VERSION 229 RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \ 230 --mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \ 231 apt-get update && apt-get install -y --no-install-recommends \ 232 cmake \ 233 vim-common 234 RUN --mount=type=cache,target=/root/.cache/go-build \ 235 --mount=type=cache,target=/go/pkg/mod \ 236 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 237 PREFIX=/build /tmp/install/install.sh tini 238 239 FROM dev-base AS rootlesskit 240 ARG ROOTLESSKIT_VERSION 241 RUN --mount=type=cache,target=/root/.cache/go-build \ 242 --mount=type=cache,target=/go/pkg/mod \ 243 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 244 PREFIX=/build /tmp/install/install.sh rootlesskit 245 COPY ./contrib/dockerd-rootless.sh /build 246 COPY ./contrib/dockerd-rootless-setuptool.sh /build 247 248 FROM --platform=amd64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-amd64 249 250 FROM --platform=arm64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-arm64 251 252 FROM scratch AS vpnkit 253 COPY --from=vpnkit-amd64 /vpnkit /build/vpnkit.x86_64 254 COPY --from=vpnkit-arm64 /vpnkit /build/vpnkit.aarch64 255 256 # TODO: Some of this is only really needed for testing, it would be nice to split this up 257 FROM runtime-dev AS dev-systemd-false 258 ARG DEBIAN_FRONTEND 259 RUN groupadd -r docker 260 RUN useradd --create-home --gid docker unprivilegeduser \ 261 && mkdir -p /home/unprivilegeduser/.local/share/docker \ 262 && chown -R unprivilegeduser /home/unprivilegeduser 263 # Let us use a .bashrc file 264 RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc 265 # Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH 266 RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc 267 RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker 268 RUN ldconfig 269 # Set dev environment as safe git directory to prevent "dubious ownership" errors 270 # when bind-mounting the source into the dev-container. See https://github.com/moby/moby/pull/44930 271 RUN git config --global --add safe.directory $GOPATH/src/github.com/docker/docker 272 # This should only install packages that are specifically needed for the dev environment and nothing else 273 # Do you really need to add another package here? Can it be done in a different build stage? 274 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 275 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 276 apt-get update && apt-get install -y --no-install-recommends \ 277 apparmor \ 278 bash-completion \ 279 bzip2 \ 280 inetutils-ping \ 281 iproute2 \ 282 iptables \ 283 jq \ 284 libcap2-bin \ 285 libnet1 \ 286 libnl-3-200 \ 287 libprotobuf-c1 \ 288 net-tools \ 289 patch \ 290 pigz \ 291 python3-pip \ 292 python3-setuptools \ 293 python3-wheel \ 294 sudo \ 295 thin-provisioning-tools \ 296 uidmap \ 297 vim \ 298 vim-common \ 299 xfsprogs \ 300 xz-utils \ 301 zip 302 303 304 # Switch to use iptables instead of nftables (to match the CI hosts) 305 # TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824) 306 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ 307 && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ 308 && update-alternatives --set arptables /usr/sbin/arptables-legacy || true 309 310 RUN pip3 install yamllint==1.26.1 311 312 COPY --from=dockercli /build/ /usr/local/cli 313 COPY --from=frozen-images /build/ /docker-frozen-images 314 COPY --from=swagger /build/ /usr/local/bin/ 315 COPY --from=tomlv /build/ /usr/local/bin/ 316 COPY --from=tini /build/ /usr/local/bin/ 317 COPY --from=registry /build/ /usr/local/bin/ 318 319 # Skip the CRIU stage for now, as the opensuse package repository is sometimes 320 # unstable, and we're currently not using it in CI. 321 # 322 # FIXME(thaJeztah): re-enable this stage when https://github.com/moby/moby/issues/38963 is resolved (see https://github.com/moby/moby/pull/38984) 323 # COPY --from=criu /build/ /usr/local/ 324 COPY --from=vndr /build/ /usr/local/bin/ 325 COPY --from=gotestsum /build/ /usr/local/bin/ 326 COPY --from=golangci_lint /build/ /usr/local/bin/ 327 COPY --from=shfmt /build/ /usr/local/bin/ 328 COPY --from=runc /build/ /usr/local/bin/ 329 COPY --from=containerd /build/ /usr/local/bin/ 330 COPY --from=rootlesskit /build/ /usr/local/bin/ 331 COPY --from=vpnkit /build/ /usr/local/bin/ 332 COPY --from=proxy /build/ /usr/local/bin/ 333 ENV PATH=/usr/local/cli:$PATH 334 ARG DOCKER_BUILDTAGS 335 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 336 WORKDIR /go/src/github.com/docker/docker 337 VOLUME /var/lib/docker 338 VOLUME /home/unprivilegeduser/.local/share/docker 339 # Wrap all commands in the "docker-in-docker" script to allow nested containers 340 ENTRYPOINT ["hack/dind"] 341 342 FROM dev-systemd-false AS dev-systemd-true 343 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 344 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 345 apt-get update && apt-get install -y --no-install-recommends \ 346 dbus \ 347 dbus-user-session \ 348 systemd \ 349 systemd-sysv 350 RUN mkdir -p hack \ 351 && curl -o hack/dind-systemd https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/b70bac0daeea120456764248164c21684ade7d0d/docker-entrypoint.sh \ 352 && chmod +x hack/dind-systemd 353 ENTRYPOINT ["hack/dind-systemd"] 354 355 FROM dev-systemd-${SYSTEMD} AS dev 356 357 FROM runtime-dev AS binary-base 358 ARG DOCKER_GITCOMMIT=HEAD 359 ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT} 360 ARG VERSION 361 ENV VERSION=${VERSION} 362 ARG PLATFORM 363 ENV PLATFORM=${PLATFORM} 364 ARG PRODUCT 365 ENV PRODUCT=${PRODUCT} 366 ARG DEFAULT_PRODUCT_LICENSE 367 ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE} 368 ARG DOCKER_BUILDTAGS 369 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 370 ENV PREFIX=/build 371 # TODO: This is here because hack/make.sh binary copies these extras binaries 372 # from $PATH into the bundles dir. 373 # It would be nice to handle this in a different way. 374 COPY --from=tini /build/ /usr/local/bin/ 375 COPY --from=runc /build/ /usr/local/bin/ 376 COPY --from=containerd /build/ /usr/local/bin/ 377 COPY --from=rootlesskit /build/ /usr/local/bin/ 378 COPY --from=proxy /build/ /usr/local/bin/ 379 COPY --from=vpnkit /build/ /usr/local/bin/ 380 WORKDIR /go/src/github.com/docker/docker 381 382 FROM binary-base AS build-binary 383 RUN --mount=type=cache,target=/root/.cache/go-build \ 384 --mount=type=bind,target=/go/src/github.com/docker/docker \ 385 hack/make.sh binary 386 387 FROM binary-base AS build-dynbinary 388 RUN --mount=type=cache,target=/root/.cache/go-build \ 389 --mount=type=bind,target=/go/src/github.com/docker/docker \ 390 hack/make.sh dynbinary 391 392 FROM binary-base AS build-cross 393 ARG DOCKER_CROSSPLATFORMS 394 RUN --mount=type=cache,target=/root/.cache/go-build \ 395 --mount=type=bind,target=/go/src/github.com/docker/docker \ 396 --mount=type=tmpfs,target=/go/src/github.com/docker/docker/autogen \ 397 hack/make.sh cross 398 399 FROM scratch AS binary 400 COPY --from=build-binary /build/bundles/ / 401 402 FROM scratch AS dynbinary 403 COPY --from=build-dynbinary /build/bundles/ / 404 405 FROM scratch AS cross 406 COPY --from=build-cross /build/bundles/ / 407 408 FROM dev AS final 409 COPY . /go/src/github.com/docker/docker